?
Solved

Need HELP with ACL, VPN, and port redirect on 1841 cisco series...

Posted on 2005-03-29
9
Medium Priority
?
679 Views
Last Modified: 2008-01-09
Okay….it has been a couple of years since I’ve played with IOS but here goes. I recently acquired an 1841 sec/k9 series Cisco router that will be our small office’s new edge device. Eventually I’ll have another firewall, DMZ, proxy, etc., but need work with what I have first.

Requirements: New router must perform NAT, have solid ACLs, forward port traffic to specific servers for specific traffic and do so securely, log illegal entry failures (or what appear to be attempted attacks), and allow for a VPN client to connect to our LAN through our router. Ideally, I want to be able to install Cisco’s ezVPN client on a user’s laptop or home machine, create for them a user on the VPN, and have each user be able to access their MS Exchange mail and any shared directories they need from home located on our LAN. Okay, this is a big chunk of work for me. My first idea was to use the SDM GUI and then just tweak the results.

**** CURRENT CONFIG LESS SECURE DATA (I hope) ****

!This is the running config of the router: 192.168.10.1
!----------------------------------------------------------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname [Name]
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip dhcp excluded-address 192.168.10.2 192.168.10.10
!
ip dhcp pool [DHCP Pool Name]
   network 192.168.10.0 255.255.255.0
   dns-server [WAN DNS Server]
   default-router [WAN gateway]
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description [WAN Connection]
 ip address [WAN interface] [Subnet Mask]
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description [LAN Connection]
 ip address 192.168.10.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip classless
ip http server
ip http access-class 1
no ip http secure-server
ip nat pool [Pool Name] 192.168.10.2 192.168.10.254 netmask 255.255.255.0
!
logging trap debugging
logging 192.168.10.10
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 deny   any

access-list 100 deny   ip [WAN network] [WAN broadcast] any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any

*** *This line is my attempt to all www traffic in that matches the criteria in CBAC. Below it is the redirect ***

access-list 101 permit tcp any eq www any eq www

****** don’t know about this line or where it goes, Trying to forward based on port to internal web server IP address  ******

ip nat inside source static tcp [Inside Web Server] [port] interface [WAN Interface] [port]

access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 permit icmp any host [WAN IP] echo-reply
access-list 101 permit icmp any host [WAN IP] time-exceeded
access-list 101 permit icmp any host [WAN IP] unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.10.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log

access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 deny   ip any any
no cdp run
!
control-plane
!
banner login ^I know what you're thinking, 'cause I'm thinking the exact same ...
I've been thinking it since I got here: Why didn't I take the blue pill …^C
!
end


Barring some changes, and the obviously inappropriate banner at the end, this is what I have so far. I have no idea how to open the VPN tunnel….I’m still looking…but any advice would be greatly appreciated. I apologize for the long post…..but I feel much better being criticized here by my betters than at work by…them…

Thanks,

Bart
0
Comment
Question by:Barton_Day
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 13663680
A few suggestions:

1.  Remove access-list 100 as it really serves no purpose:

interface FastEthernet0/1
no ip access-group 100 in

no access-list 100

2.  Access-list 101 on the outside interface is essentially denying all traffic (except ICMP).  Here's a better list for the outside interface:

interface FastEthernet0/0
no ip access-group 101 in

no access-list 101
access-list 101 permit udp any eq 53 any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any any eq 80 <--permit web traffic to the inside server
access-list 101 deny ip any any log  <--log denials (optional)

interface FastEthernet0/0
ip access-group 101 in

3.  To get NAT working, remove the NAT pool, and add the following:

no ip nat pool [Pool Name] 192.168.10.2 192.168.10.254 netmask 255.255.255.0

ip nat inside source list 102 interface fastethernet0/0 overload

Your port forward to the internal web server is correct as you have it.

4.  Your DHCP pool "default-router" is incorrect.  The default-router should be 192.168.10.1 (LAN connection).

5.  You are missing a default route to your ISP:

ip route 0.0.0.0 0.0.0.0 <next-hop-router>  <---next hop router is your ISP's router.


Get all that working first before you attempt the VPN.


0
 

Author Comment

by:Barton_Day
ID: 13665535
JFrederick29, thank you so very much for your review....it is much appreciated....but it raised a few more questions.

You stated:
1. "Your port forward to the internal web server is correct as you have it." <------ Question: where should it be located  and does it matter? I also intend to use this for mail, ssl, and so other services. Will this entry suffice?

2.  "ip route 0.0.0.0 0.0.0.0 <next-hop-router>" <----  Question: should I include the subnet mask?

3. Question: do you think I need a filter that is outbound on the LAN interface to prevent internal broadcasts from going out and such? I see that IP unreachable is already there and no redirects are allowed...just curious.

Thanks again.....I'm going to try a test run today....

Bart





0
 

Author Comment

by:Barton_Day
ID: 13665563
One quick clarification on this statement:

"I also intend to use this for mail, ssl, and so other services. Will this entry suffice?"

I would obviously add additional lines to the acl with the appropriate port and ip info.....

Bar
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 13670943
1.  No, it doesn't matter where it is located.  You will need to add a static NAT statement per port, for example:

ip nat inside source static tcp [Inside Web Server] 80 interface [WAN Interface] 80  <---web server
ip nat inside source static tcp [Inside Web Server] 443 interface [WAN Interface] 443  <---ssl server
ip nat inside source static tcp [Inside Web Server] 25 interface [WAN Interface] 25  <---smtp server
etc...

Yes, you'll need to add additional lines to the ACL for each port you are allowing from the outside, in (ssl, mail, etc...).

2.  The subnet mask is not needed, route statement looks like this "ip route 0.0.0.0 0.0.0.0 68.x.x.1"

3.  No, don't worry about using an ACL on the LAN interface unless you want to restrict what your inside users can access.
0
 

Author Comment

by:Barton_Day
ID: 13682351
JFrederick29 you rock.....when I fired up my router for this test run I already saw very positive activity. I just needed to tweek a line here and there but for the most part your help was outstanding. All the traffic was forwarded to the correct server and I must say the performance is nice....real nice. The one main thing I did have to do was to change the following line:

ip nat inside source list 102 interface fastethernet0/0 overload

to

ip nat inside source list 102 interface fastethernet0/1 overload

I was up all night working on the config so my brain is mush....so I'll worry about researching how to setup the VPN later.....but if you have any thoughts I'd be most interested in hearing them.

Thanks a million....have a great weekend man...

Bart
0
 

Author Comment

by:Barton_Day
ID: 13682396
Dude..you can tell I cant think worth a dime from lack of sleep cause I just got my comment backwards. It should read:

ip nat inside source list 102 interface fastethernet0/1 overload

changed to:

ip nat inside source list 102 interface fastethernet0/0 overload

For anyone following this discussion, my errror was in configuring the inside [LAN] interface with the overload option. The correct method was to apply this overload to the outside [WAN] interface...

Bart
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 13683233
Glad to here you got it working!
0
 

Author Comment

by:Barton_Day
ID: 13718099
Hey JFrederick29, I ready to crank out some VPN settings now but I am a little confused. I want to enable my router to accept incoming VPN connection requests so that users who are connecting to our LAN remotely can get to Exchange, shared drives, etc. I believe the first step is in using the crypto functionality in IOS to configure the IPSEC settings. I'd use ISAKMP but I don’t think I want to deal with certificates. So, I think I need the following:

***********************************************
router(config)#
crypto ipsec client ezvpn [name]
router(config-crypto-ezvpn)#

?? Do I want MODE CLIENT or NETWORK EXTENSION?

I see where to add a username and password for my remote users and I’ve read on how to configure the client they’ll be using. I’m just not too sure how to setup the router to all for this type of connection.

Any quick suggestions?

Thanks again,

Bart
0
 

Author Comment

by:Barton_Day
ID: 13727967
JFrederick29 , hey  man you can ignore my last post....I found a real good VPN config online that I think will work....if it doesn't I'll start a fresh post.

Thanks for all of you help man.....


Bart
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question